Affected Versions
Versions 3.0.0 through 3.0.9, and 3.1.0 through 3.1.1 are affected.
Description
Active and valid staff members may be able to access areas of the application without proper ACL permissions. Additionally, staff members may not be logged out immediately after being made inactive. These issues are classified as Moderate vulnerabilities. Patch release 3.0.10 and 3.1.2 correct these vulnerabilities.
Resolution
If you are running 3.0.x upgrade to version 3.0.10. If you are running 3.1.x upgrade to version 3.1.2.
Related tasks:
- CORE-1062
- CORE-1063
- CORE-1064
Credits
CORE-1062 was discovered by Nerijus Barauskas at NGnTC. CORE-1063 and CORE-1064 were discovered by the Blesta Development Team.